All Account Payable departments should be on the alert for an Invoice PDF substitution scam which is operating across multiple countries and industries.
How the Scam Works
The fraudster intercepts a genuine PDF Invoice, emailed from a supplier. The fraudster edits the PDF, changing the bank details to an account under the fraudster’s control. The fraudster re-sends the Invoice to the purchaser from an email account which the fraudster controls and which looks similar to the supplier’s email address.
The purchaser’s Account Payables settles the Invoice to the fake bank account and the fraud is only discovered when the genuine supplier contacts the business regarding non-payment.
Sometimes the Account Payables department has tried to check the validity of the new Invoice and bank details by replying to the fraudster’s email. Unfortunately this means the purchaser is emailing the fraudster, who is only too happy to confirm the change of bank details.
This fraud is enabled by email networks, which by their nature, can be breached at a number of points and by PDF documents which are not as safe as many users believe (PDFs can be edited either with a commercial editor or with zero day exploits).
Who is Vulnerable?
This Invoice substitution fraud is happening in many countries and across numerous industries.
Companies which are purchasing globally are especially vulnerable to this type of scam because (due to time zones) it is harder to phone the supplier and check the changes. It is also less suspicious that, for example, a company in Australia supplying a company in France, would suddenly open a new bank account in Europe.
Another weakness is in companies where one person (such as the AP clerk) is responsible for changing the banking details and another person (say the CFO) is responsible for authorising the payment. While this separation of activities makes it harder for staff to defraud their own company, it makes it easier for an external fraudster to trick the Account Payables team and blindside the authoriser.
Because the fraud requires quite a lot of work (from the fraudsters) they are targeting high value Invoices. For example, if fraudsters have to break into a network, view the emails, edit a PDF, make a new email account, send a new email, set up a bank account and visit the bank to withdraw the funds, they won’t bother doing all this manual work for $10. So the fraudsters are waiting until there is an Invoice of many thousands of dollars before they strike.
How to Protect Yourself
Companies that are trading via EDI or EDI variables (such as Document Digitization and Web Portals) have protection against these types of attack. If you don’t have most of your documents transmitted in this way then you should consider talking to B2BE about upgrading your systems.
However, even companies that have the majority of their transactions via EDI may also have to make infrequent purchases of large ticket items and these may be invoiced via email or mail and it is these transactions that are especially vulnerable.
In these instances Accounts Payables departments can take the following practical safeguards:
- Always phone the company that has requested a change of bank details and confirm the details of the new bank account with someone whose voice is previously known to the person making the call.
- Never use the contact details in the email (such as phone / email) to contact the company that is making the bank account change. Look up the details from another trusted source (such as your own database, CRM system or the phonebook).
- Accounts Payables staff should scrutinise Invoices so they look out for any irregularities, including a change of name, amount or address. Also the fraudster, in editing the PDF, may inadvertently alter the look of the Invoice, e.g. is the logo in the Invoice blurred?
- If the payment is being paid by someone other than the person making the change to the bank account, than have a mechanism for flagging to them that there has been a change to the banking details of the company you are paying.
- For any large payments, consider setting up a meeting (or at least having a phone call) with the company Invoicing your company so that you satisfy yourself that the payment will be sent to the correct bank account and recipient.
It is interesting to note that once one is sending PDF Invoices by email, protecting computer networks (while necessary) is not sufficient, because the interception can happen at a number of points in the journey, over which any one participant in the transaction, has no control. I.e. Even if your network is protected you may be exposed if your trading partner, or their ISP, or some other point in the network, is penetrated.